Agentless Workload Scanning for Google Cloud - Project Integration (Terraform)
Overview
This article describes how to integrate your Google Cloud project with Lacework's Agentless Workload Scanning.
Google Cloud Project Integration
Choose which type of Google Cloud Agentless Workload Scanning integration that you want to perform:
See Lacework Terraform Module for Agentless Workload Scanning on Google Cloud for all available Terraform integration options and additional deployment examples.
Option 1: Project Integration - Single Region
In this example, we add Terraform modules to one Google Cloud region:
- Global resources are deployed to the
us-east1
Google provider region.- Service Accounts/Permissions
- Object Storage Bucket
- Secret Manager Secret
- Regional resources are deployed to the
us-east1
Google provider region.- Cloud Run Job
- Cloud Scheduler Job
Use the example below for your
versions.tf
file:terraform {
required_version = ">= 1.5"
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.19"
}
}
}Use the example below for your
main.tf
file:# Set your Lacework profile here. With the Lacework CLI, use
# `lacework configure list` to get a list of available profiles.
provider "lacework" {
profile = "lw_agentless"
}
provider "google" {
alias = "use1"
# Set the ID of the project where the scanning resources are hosted.
project = "agentless-lw-scanner"
# Set the region where the scanning resources are hosted.
region = "us-east1"
}
module "lacework_gcp_agentless_scanning_project_single_region" {
source = "lacework/agentless-scanning/gcp"
version = "~> 2.0"
providers = {
google = google.use1
}
# Provide the list of Google Cloud projects that you want to monitor here.
# Enter the ID of the projects.
project_filter_list = [
"monitored-project-1",
"monitored-project-2"
]
global = true
regional = true
organization_id = "your-org-id"
lacework_integration_name = "agentless_from_terraform"
}By default, only the project where the scanning resources are hosted is monitored. To monitor other projects, see How to Add or Remove Google Cloud Projects.
If you are executing Terraform outside the Google Cloud Console, use the following gcloud commands prior to running Terraform:
gcloud auth login
gcloud auth application-default login
gcloud config set project <scanning_project>
- Replace
<scanning-project>
with the project that will host the scanning resources (agentless-lw-scanner
in this example).
- Replace
Run
terraform init
to initialize the working directory (containing the Terraform files).Run
terraform plan
and review the changes that will be applied.Once satisfied with the changes that will be applied, run
terraform apply
to execute Terraform.
Option 2: Project Integration - Multi Region
In this example, we add Terraform modules to two Google Cloud regions:
- Global resources are deployed to
us-east1
.- Service Accounts/Permissions
- Object Storage Bucket
- Secret Manager Secret
- Regional resources are deployed to
us-east1
andus-central1
.- Cloud Run Job
- Cloud Scheduler Job
Use the example below for your
versions.tf
file:terraform {
required_version = ">= 1.5"
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.19"
}
}
}Use the example below for your
main.tf
file:# Set your Lacework profile here. With the Lacework CLI, use
# `lacework configure list` to get a list of available profiles.
provider "lacework" {
profile = "lw_agentless"
}
provider "google" {
alias = "use1"
region = "us-east1"
# Set the project name for where the scanning resources are hosted.
# This must be assigned to the `global` region.
project = "agentless-lw-scanner"
}
provider "google" {
alias = "usc1"
region = "us-central1"
# Set your default project ID for this region. This isn't required for
# the Agentless integration, but is required by the Google Provider.
# https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#configuring-the-provider
project = "default-project-id"
}
module "lacework_gcp_agentless_scanning_project_multi_region_use1" {
source = "lacework/agentless-scanning/gcp"
version = "~> 2.0"
providers = {
google = google.use1
}
# Provide the list of Google Cloud projects that you want to monitor here.
# Enter the ID of the projects.
project_filter_list = [
"monitored-project-1",
"monitored-project-2"
]
global = true
regional = true
organization_id = "your-org-id"
lacework_integration_name = "agentless_from_terraform"
}
module "lacework_gcp_agentless_scanning_project_multi_region_usc1" {
source = "lacework/agentless-scanning/gcp"
version = "~> 2.0"
providers = {
google = google.usc1
}
regional = true
organization_id = "your-org-id"
global_module_reference = module.lacework_gcp_agentless_scanning_project_multi_region_use1
}By default, only the project where the scanning resources are hosted is monitored. To monitor other projects, see How to Add or Remove Google Cloud Projects.
If you are executing Terraform outside the Google Cloud Console, use the following gcloud commands prior to running Terraform:
gcloud auth login
gcloud auth application-default login
gcloud config set project <scanning_project>
- Replace
<scanning-project>
with the project that will host the scanning resources (agentless-lw-scanner
in this example).
- Replace
Run
terraform init
to initialize the working directory (containing the Terraform files).Run
terraform plan
and review the changes that will be applied.Once satisfied with the changes that will be applied, run
terraform apply
to execute Terraform.
Verify your Agentless Workload Scanning Integration
In the Lacework console, the status of the integration at Settings > Integrations > Cloud accounts will display as Success if all resources are installed correctly. If the periodic scanning encounters an error, the status will display the error details.
Remove an Agentless Workload Scanning Integration
Start in the Lacework console.
- In Settings > Integrations > Cloud accounts, find the integration that you would like to remove.
- Toggle the integration State to disabled, or Delete the integration using the actions menu on the right.
Using Terraform, run terraform destroy
for the Agentless module.
How to Add or Remove Google Cloud Projects
Add or Remove Google Cloud Projects using the Lacework Console
Using the Lacework Console to add or remove projects is not possible for a Google Cloud project integration.
See the Terraform method instead.
Add or Remove Google Cloud Projects using Terraform
If you want to add or remove projects to be monitored from your integration, you will need to update your main.tf
file and rerun Terraform.
Add or remove the Google Cloud projects to be monitored from the
project_filter_list
in yourmain.tf
file:Example for adding projects# Enter the ID of the projects.
project_filter_list = [
"monitored-project-1",
"monitored-project-2",
"additional-project-1",
"additional-project-2"
]If you are executing Terraform outside the Google Cloud Console, use the following gcloud commands prior to running Terraform:
gcloud auth login
gcloud auth application-default login
gcloud config set project <scanning_project>
- Replace
<scanning-project>
with the project that hosts the scanning resources.
- Replace
Run
terraform init
to initialize the working directory (containing the Terraform files).Run
terraform plan
and review the changes that will be applied.Once satisfied with the changes that will be applied, run
terraform apply
to execute Terraform.
Next Steps
- View scanning results in the Lacework Console.
- Read FAQs on Agentless Workload Scanning.